It's actually only 7 days (604800/60/60/24 - see "App settings" / "features" / "Session-Timeout").

It's just the cookie that has this lifetime..

If you would set this to 1800 (30 minutes), the user would have to re-login every 30 minutes. Is this what you want?

Hmmm, no not exactly. I'm using an AlternateAuthentication plugin, the basis of which expires after 30-minutes of inactivity. I'm finding that users can go right into the blog, even after being inactive for as long as a day. This is because the cookie is picked up and read before the AlternateAuthentication event is fired, so I never have a chance to make sure they are still authenticated before b2evolution lets them through.

Is there an event that fires soon after the cookie is used to authenticate? If so, I can check to make sure that they are still logged in to our authentication system too.

SessionLoaded might fit your needs (call logout() therein for users that are not logged in anymore - $UserCache->get_by_ID( $Session->user_ID ) gives you the user object; you would have to load the classfile and create the cache object though.. :/)

A better idea would be to hook AfterLoginRegisteredUser and logout() the user there and then redirect to the same page again:

header_redirect( $ReqHost.$ReqURI );
exit();

Also, setting the session-timeout to 30 mins (like said before), should do the trick, doesn't it?!

blueyed wrote:

Also, setting the session-timeout to 30 mins (like said before), should do the trick, doesn't it?!

"You cannot set a session timeout below 3600 seconds." :(

I'll try the event hack that you mentioned.

Thanks!

Thinking about it, this limit is not very good anyway. There are other systems which use 900 seconds (15 minutes) by default.

So, better hack /inc/CONTROL/settings/features.php and change it there.. search for "You cannot set".

I'll change the limit/check to 30 seconds.

See http://evocms.cvs.sourceforge.net/evocms/b2evolution/blogs/inc/CONTROL/settings/features.php?r1=1.10&r2=1.11

Great, thanks :) I decided to add the check to my plugin anyways. Basically, if the plugin senses that the user is logged in to b2evo (via the AfterLoginRegisteredUser event) but not logged in to the underlying auth system, then I force a login to the auth system. If the user logs in with the same login ID that b2evo already has then the request moves on. Otherwise, if a new user ID is detected then I log the user out of b2evo and force a new request so that the AlternateAuthentication code can run. Still testing, but it seems to work initially.